JOURNAL OFFICIEL 

DU GRAND-DUCHE DE LUXEMBOURG 


MEMORIAL A 


N° 13 du 3 janvier 2018 


Institut Luxembourgeois de Regulation - Reglement ILR/T17/11 du 14 decembre 2017 relatif aux 
specifications techniques pour I’interception des communications electroniques au Luxembourg - 
Secteur communications electroniques. 

La Direction de I’lnstitut Luxembourgeois de Regulation, 

Vu la loi modifiee du 27 fevrier 2011 sur les reseaux et les services de communications electroniques et 
notamment son article 4 ; 

Vu la loi modifiee du 30 mai 2005 concernant la protection de la vie privee dans le secteur des 
communications electroniques et notamment son article 5 ; 

Vu la consultation publique nationale du 14 septembre 2017 au 16 octobre 2017 concernant le projet de 
reglement relatif aux specifications techniques pour I’interception des communications electroniques au 
Luxembourg ; 

Vu les reponses a la consultation publique susvisee ; 


Arrete: 


Titre I - Champ d’application et definitions 


Art. 1 er . 

Le present reglement a pour objectif de definir le format et les modalites de mise a disposition des donnees 
techniques et des equipements afin de permettre aux autorites competentes en la matiere I’accomplissement 
de leurs missions legales de surveillance des communications. Sont notamment visees les mises a 
disposition de toutes formes de communications interceptees et des donnees y afferentes en vertu des 
articles 67-1, 88-1, 88-2 du Code de procedure penale ainsi que de I’article 7 de loi du 5 juillet 2016 portant 
reorganisation du Service de renseignement de I'Etat (ci-apres « la loi du 5 juillet 2016 »). 

Art. 2. 

Au sens du present reglement, on entend par: 

(1) autorisation : decision prise conformement aux articles 67-1,88-1 et 88-2 du Code de procedure penale 
et 7 de la loi du 5 juillet 2016, et ordonnant une mesure de surveillance ; 

(2) autorite legale : les autorites competentes agissant conformement aux articles 67-1,88-1 et 88-2 du Code 
de procedure penale et agissant dans le cadre de I’article 7 de la loi du 5 juillet 2016 ; 

(3) cible : personne physique ou morale a I’encontre de laquelle la mesure de surveillance est ordonnee ; 

(4) communication interceptee : communication faite moyennant un reseau ou service de communication 
electronique et faisant I’objet d’une mesure d’interception ; 

(5) mesure d’interception : mesure de surveillance appliquee a I’egard des communications d’une cible aux 
fins d’acceder a tout contenu, y compris les donnees afferentes, ainsi qu’a toute information relative aux 
communications en question ; 

(6) mesure de surveillance : mesure ordonnee en application des articles 67-1, 88-1 et 88-2 du Code de 
procedure penale ainsi que de I’article 7 de la loi du 5 juillet 2016 ; 

(7) exploitant: operateur ou toute entreprise notifiee conformement a la loi du 27 fevrier 2011 sur les reseaux 
et les services de communications electroniques ; 
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(8) service-cible : un reseau de communication public ou un service de communications electroniques vises 
par une mesure de surveillance. 

Titre II - Mise a disposition des communications surveillees 


Art. 3. 

Dans le respect de I’autorisation legale, la mise a disposition par I’exploitant des donnees de la mesure 
d’interception a I’autorite legale concernee, en ce compris la communication interceptee, doit se faire en 
temps reel. La forme dans laquelle les donnees doivent etre transmises et les modalites techniques de 
la transmission, sont definies dans les specifications techniques nationales (National Specifications for 
Luxembourg) qui se trouvent en annexe du present reglement et en font partie integrante. 

Art. 4. 

Des la notification de I'autorisation legale a I'exploitant, celui-ci s’efforce a mettre en oeuvre incessamment 
les mesures d’interception ordonnees sans que cette mise en oeuvre ne puisse depasser les delais maxima 
suivants : 


Circonstances 

Delai maximum 

operation de routine 

I’autorisation legale est notifiee pendant les heures 
de bureau 

4 heures 

operation urgente 

I’autorisation legale est notifiee pendant les heures 
de bureau 

30 minutes 

operation urgente 

I’autorisation leaale est notifiee en dehors des 
heures de bureau 

2 heures 


Art. 5. 

(1) Au cas ou un exploitant utilise des procedes de codage, de compression ou de chiffrement, les 
informations interceptees sont a delivrer aux autorites legales en clair. 

(2) Au cas ou un exploitant modifie le contenu d'une communication, il est egalement tenu a le reconvertir 
dans sa forme initiale avant de le transferer a I'autorite legale effectuant la mesure d’interception. 

(3) Au cas ou la cible modifie le contenu d'une communication par chiffrement ou codage ou en iui 
administrant tout autre traitement de chiffrement, I'exploitant devra offrir tout le support possible aux autorites 
legales pour faciliter I'aneantissement de ce genre de chiffrement. 

Titre III - Mesures de securite 


Art. 6. 

(1) Le dispositif d'interception de communications ne doit en aucun cas modifier la prestation du service-cible 
ni fournir une indication a un utilisateur de celui-ci qu'une mesure d’interception est en cours. 

(2) L'exploitant doit tenir un registre de toutes activites liees aux mesures d’interception. Ce registre 
doit contenir les informations suivantes pour chaque operation (initialisation d'une mesure d'interception, 
prolongation, cloture d'une mesure d'interception, etc.) : 

a) I'identite de la personne autorisee ayant effectue I’operation ; 

b) reference(s) du service ayant ete I'objet de I’operation ; 

c) genre d'operation effectuee ; 

d) date et heure de I’operation. 

(3) Un controle du registre par I'autorite legale concernee doit etre accorde a tout moment. 
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(4) L'exploitant est tenu de proteger de fagon adequate les informations relatives aux mesures d’interception 
et aux equipements utilises et de ne les divulguer a quiconque d'autre que les personnes autorisees 
mentionnees ci-dessus sans que I’autorisation ecrite ne soit transmise prealablement par I'autorite legale 
concernee. 

(5) Tout acces non-autorise reel ou tente pour obtenir des informations sur les mesures d’interception et sur 
les equipements utilises est a signaler a I'autorite legale concernee. 

Titre IV - Dispositif d’interception 


Art. 7. 

(1) Le dispositif d'interception utilise dans le cadre des mesures d’interception doit pouvoir permettre 
I'interception simultanee d’une meme cible par plusieurs autorites legales differentes et ceci pour tous les 
services-cibles. 

(2) Les mesures d’interception des differentes autorites legales doivent rester separees de fagon a eviter 
que les cibles de I'une des autorites legales ne soient divulguees a une autre. 

Art. 8. 

La fiabilite et la qualite de service d'un dispositif d'interception doivent au moins etre egales a la fiabilite et 
la qualite de service du service-cible. 


Titre V - Dispositions diverses 


Art. 9. 

(1) A partir de son entree en vigueur, les exploitants disposent d’un delai de douze mois pour faire les 
adaptations requises suite a la modification de I’annexe au present reglement par rapport a I’annexe au 
reglement 14/184/ILR du 15 decembre 2014 relatif aux specifications techniques pour I’interception des 
communications electroniques au Luxembourg. 

(2) Une prorogation de douze mois du delai vise au paragraphe (1) peut etre accordee par I’lnstitut pour 
des services de faible importance sur le marche des communications electroniques. A cette fin, l’exploitant 
introduit aupres de I’lnstitut une demande ecrite, documentant la faible importance du service vise sur le 
marche des communications electroniques. 

(3) Une prorogation accordee conformement au paragraphe (2) peut etre renouvelee a I’issue de douze mois, 
lorsque les services de communications electroniques concernes sont de moindre importance sur le marche 
des communications electroniques, lorsque leur importance sur le marche des communications electroniques 
est en declin rapide et definitif ou lorsque les equipements respectifs approchent a la fin de leur cycle de vie. 

(4) L’importance sur le marche des communications electroniques d’un service, telle que visee aux 
paragraphes (2) et (3) s’apprecie notamment par le nombre d’utilisateurs, le chiffre d’affaires et la pertinence 
du service pour les autorites legales. 

(5) Avant toute decision d’accorder une prorogation, la demande de l’exploitant est transmise par I’lnstitut 
aux autorites legales pour avis. La decision est notifiee par I’lnstitut au demandeur et aux autorites legales. 

Titre VI - Dispositions abrogatoires et finales 


Art. 10. 

Le reglement 14/184/ILR du 15 decembre 2014 relatif aux specifications techniques pour I’interception des 
communications electroniques au Luxembourg est abroge. 
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Art. 11. 

Le present reglement sera publie au Journal officiel du Grand-Duche de Luxembourg et sur le site Internet 
de I’lnstitut. 


La Direction, 


Michele Bram 

Directrice adjointe 


Camille Hierzig 

Directeur adjoint 


Luc Tapella 

Directeur 
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ANNEXE: 

National Specifications for 
Luxembourg 
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Introduction 

This document consists of Part A and Part B : 

PART A : Specification for passive interception 

This part describes the technical implementation of lawful interception of telecommunications. 
Implementation is carried out on the basis of the relevant ETSI specifications (refer to A.1), and this part 
describes the options and amendments that have been defined for Luxembourg. 

PART B : Specification for active interception 

This part describes the support that shall be supplied by the NWO/AP/SvP (Network Operator / Access 
Provider / Service Provider) in case of operations which require active interception. 

Scope 

This document is written in English and will be provided to the NWO/AP/SvP upon request. It applies to any 
NWO/AP/SvP in the Grand Duchy of Luxembourg that is obligated to comply in lawful interception. 
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Part A : Specification for passive interception 

Basis of this specification 

This Part A includes the ETSI documents listed below, which are applicable in the version noted as follows 
or in later versions, and are to be observed. 


[1] ETSI TS 101 671 

V3.14.1 

(2016-03) 

[2] ETSI TS 133 108 
System 

V14.0.0 

(2017-04) 

[3] ETSI TS 102 232-1 

V3.13.1 

(2017-03) 

[4] ETSI TS 102 232-2 

V3.10.1 

(2016-08) 

[5] ETSI TS 102 232-3 

V3.5.1 

(2017-03) 

[6] ETSI TS 102 232-4 

V3.3.1 

(2017-03) 

[7] ETSI TS 102 232-5 

V3.7.1 

(2017-03) 

[8] ETSI TS 102 232-6 

V3.3.1 

(2014-03) 

[9] ETSI TS 102 232-7 

V3.4.1 

(2017-03) 


Lawful Interception (LI) ; Handover 
Interface for the lawful interception of 
telecommunications traffic 

Universal Mobile Telecommunications 

(UMTS) ; LTE ; 3G security ; Handover 
interface for Lawful Interception (LI) 

Lawful Interception (LI); Handover Interface 
and Service-Specific Details (SSD) for IP 
delivery ; Part 1 : Handover specification for 
IP delivery 

Part 2 Service-specific details for 
messaging services 

Part 3 : Service-specific details for internet 
access services 

Part 4 : Service-specific details for Layer 2 
services 

Part 5 : Service-specific details for IP 
Multimedia services 

Part 6 : Service-specific details for PSTN/ 
ISDN services 

Part 7 : Service-specific details for Mobile 
Services 


The chosen options and national amendments to these ETSI documents are listed in the following chapters 
of Part A. If no options or amendments are defined in Part A, the corresponding ETSI document will be 
applicable without change in the version specified above or in a later version. 
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List of abbreviations 


Abbreviation 

3GPP 

AP 

ASN.1 

CC 

CCLID 

CSP 

CUG 

DSL 

ETSI 

FTP 

GGSN 

GLIC 

GPRS 

GSM 

HI 1 

HI 2 

HI 3 

ID 

IPSec 

IRI 

ISDN 

LALS 

LEA 

LEMF 

LI 

LI ID 

NEID 

NID 

NWO 

ROSE 

RTP 

SGSN 

SMS 

SSD 


Description 

3rd Generation Partnership Project 
Access Provider 
Abstract Syntax Notation One 
Content of Communication 
CC Link IDentifier 
Communication Service Provider 
Closed User Group 
Digital Subscriber Line 

European Telecommunications Standards Institute 

File Transfer Protocol 

Gateway GPRS Support Node 

GPRS LI Correlation 

General Packet Radio Service 

Global System for Mobile communications 

Handover Interface 1 

Handover Interface 2 

Handover Interface 3 

Identifier 

Internet Protocol Security 
Intercept Related Information 
Integrated Services Digital Network 
Lawful Access Location Services 
Law Enforcement Agency 
Law Enforcement Monitoring Facility 
Lawful Interception 
Lawful Interception Identifier 
Network Element Identifier 
Network Identifier 
Network Operator 
Remote Operation Service Element 
Real-Time Transport Protocol 
Serving GPRS Support Node 
Short Message Service 
Service-Specific Details 
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SvP 

Service Provider 

TCP 

Transmission Control Protocol 

TS 

Technical Specification 

UDP 

User Datagram Protocol 

ULIC 

UMTS LI Correlation 

UMTS 

Universal Mobile Telecommunication System 

UPS 

Uninterruptible power supply 

UUS 

User to User Signalling 

VPN 

Virtual Private Network 
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Chosen options and amendments 

Re [1] (TS 101 671) 

Options that can be chosen in each country and amendments to [1] are listed in this chapter. 


Re [1], General section 


Re Section 

Reference / Description 

National provision / extension 

5.1 

Handover interface 1 (HI1) 

Design, electronic or manual 

The HI1 interface will remain manual. If 
a legal basis is created for electronic 
implementation of the HI1 interface, this will 
be introduced at a later stage. 

Exception : LI management notifications (LI 
BEGIN, LI MODIFY, LI END, ALARM) shall 
be sent via the electronic HI2 interface (refer 
to [1], D.4). 

5.2 

Handover Interface port 2 (HI2) 

The IRI records shall be transmitted 
individually. 

6.1 

Lawful Interception Identifier (LIID) 

The LIID shall be defined by the LEA. 

6.2.1 

Network Identifier (NID) 

The NID consists of the Operator ID and 
Network Element Identifier (NEID). 

The Operator ID consists of up to 5 
characters ; the nomenclature is defined and 
updated by the LEA. 

The NEID is 1-25 characters long, as defined 
in [1] and shall be set by the NWO/AP/SvP. 

7.2 

LI notifications towards the LEMF 

LI management notifications (LI BEGIN, LI 
MODIFY, LI END, ALARM) shall be sent via 
the electronic HI2 interface (refer to [1], D.4). 

8.1 

Data transmission protocols (HI2) 

Only FTP shall be used, ROSE shall not be 
used. 

9 

HI3 Interface port for Content of 

Communication 

The Content of Communication (CC) shall be 
presented as a transparent en clair copy, if 
the encryption is managed by the network. 
Encryption not managed by the network, e.g. 
user provided end-to-end encryption, need 
not to be removed by the network. 

10.1 

Timing 

If IRI cannot be transmitted, they shall be 
buffered by the NWO/AP/SvP. 

Minimum buffer time : 3 days 

11 

Security aspects 

ISDN transmission : An ISDN CUG (Closed 
User Group) shall be formed as specified by 
the LEA. 

IP-based transmission : A VPN including 
IPSec encryption will be set up between 
the NWO/AP/SvPs obliged to provide 
for intercepts and the LEAs, refer to 
explanations in chapter A.4 of this document. 
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Re Section 

Reference / Description 

National provision / extension 

12 

Quantitative aspects 

The following figures can be used as a basis 
for dimensioning the technical equipment 
installed at the NWO/AP/SvPs : 

• 50 targets for the first 10000 subscribers 

• an additional 20 targets for each further 
10000 subscribers started 

(e.g. : NWO with 76000 subscribers shall be able to set 
up at least 50+7*20 = 190 targets) 


Re [1], Annex A circuit-switched network handover 


Re Section 

Reference / Description 

National provision / Extension 

A.1.3 

Use of identifiers 

As option A (A.5.4.1) has been specified in 
A.5.4, the rules according to table A.1.1, left 
side, apply. 

A.3.2 

Structure of IRI records 

Only IRI conforming to ASN.1 - description 
are permissible. 

A.3.2.1 

Control information for HI2, item 5 

Date and time shall be transmitted as local 
time. 

A.4 

HI3 : Interface port for Content of 
Communication 

The Content of Communication (CC) shall be 
presented as a transparent en clair copy, if 
the encryption is managed by the network. 
Encryption not managed by the network, e.g. 
user provided end-to-end encryption, need 
not be removed by the network. 

A.4.1 

Delivery of Content of Communication 
(CC) 

Use of UUS1 has been specified. In order to 
enable sub-addressing as fall-back, the LI ID 
for circuit-switched intercepts shall solely be 
implemented by number (LIID is set by the 
LEA). 

A.4.2 

Delivery of packetized Content of 
Communication (CC) 

Text messages (SMS) and UUS shall be 
transmitted via the HI2 interface. 

A.4.4.1 

Failure of CC links 

The NWO/AP/SvP shall make 3 attempts at 
an interval of 5 seconds. 

A.4.4.2 

Fault reporting 

Error messages shall be transmitted over 
HI2 in accordance with Annex D.4, if the 
system used by the NWO/AP/SvP supports 
this functionality. 
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Re Section 

Reference / Description 

National provision / Extension 

A.4.5 

Security requirements at the HI3 interface 
port 

Refer to 5.1.1, re 11. Security Aspects 

A.5.4 

Multi party calls - general principles, 
options A, B 

Option A shall be used. 

A.6.4.1 

Explicit call transfer, CC link 

Option 2 has been specified. 

A.6.22 

User-to-User signalling (UUS) 

Transmission via HI2 shall be used, also refer 
to A.4.2. 

A.8.3 

HI3 (delivery ofCC) 

Correlation information is transmitted in 
conformance with 5.1.2, sec. A.4.1. 

A.8.4 

HI2 (delivery of IRI) 

Redundant information shall be sent for each 
further event. 


Re [1], Annex C HI2 delivery mechanisms and procedures 


Re Section 

Reference / Description 

National provision / Extension 

C 

ROSE or FTP 

Only FTP shall be used, ROSE shall not be 
used. 

C.2.2 

Use of FTP 

Method B shall be used. 


Re [1], Annex D Structure of data at the handover interface 


Re Section 

Reference / Description 

National provision / Extension 

D 

ASN.1 object tree 

Additional national parameters will be 
established, refer to Annex A for the 
definition. 


Re [1], Annex E Use of subaddress and calling party number... 


Re Section 

Reference / Description 

National provision / Extension 

E.2 

Subaddress options 

According to Table E.2.1 in [1], the default 
value for type of subaddress is “user 
specified”. 

E.3.2 

Field order and layout 

To distinguish between "old" transmission 
and transmission in accordance with this 
specification, the octets 16-23 are allocated 
as follows : 

If ‘old’ transmission : no entry 

If transmitting according to this specification : 
"Xa.bb.cc" 

X : E for ETSI 

a : main version TS 101 671 

bb : technical version 

cc : editorial version 

(Example : E3.14.01 forTS 101 671 V3.14.1) 
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Re [1], Annex F GPRS HI3 interface (includes 3GPP as ref. in [1]) 


Re Section 

Reference / Description 

National provision / extension 

F.1 

Functional architecture 

GGSN and SGSN interception shall be set 
as standard in order to obtain a maximum of 
information. If for technical reasons only one 
kind of interception is possible, then SGSN 
interception shall be set up. 

F.3 

HI3 Delivery of Content of Communication 
(CC) 

Transmission by GLIC/TCP or FTP/TCP shall 
be used, GLIC/UDP shall not be used. 

F.3.2.2 

Use of FTP 

Method B shall be used. 

F.3.2.2 

Use of FTP 

The following triggers have been specified : 
send timeout = 10s 
volume trigger = 10 MByte 


Re [1], Annex D.5 ASN.1 - description of IRI (HI2) 


Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 

Reference 

Reference / Description 

National provision / Extension 

04022.1 (1) 

Location 

In case of a mobile connection, the following 
parameters shall be set: 

- globalCelllD 

- gsmlocation or umtslocation 

04022.1 

Location/gsm Location/ GeoCoordinates 

The AZIMUTH value shall be set except in 
the case of an omni-directional antenna (360° 
antenna). 

04022.1 

National HI2-ASN1 parameters/ 
LuxParameters 

National parameters have been defined in 
addition to the ASN.1 description in [1] : the 
description can be found in Annex A. 

04022.1 

partyinformation 

An individual partyinformation shall be sent 
for EACH party involved in a communication. 

04022.1 

partyinformation/partyidentity 

All existing parameters shall be defined, 
depending on the means of communication 
used. 
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Re [2] (TS 133 108) 

The options that can be chosen in each country and amendments to [2] are listed in this chapter. 


Re [2], General section 


Re Section 

Reference / Description 

National provision / Extension 

4.4.1 

Handover Interface port 2 (HI2) 

The IRI records shall be transmitted 
individually. 

4.5 

HI2 : Interface port for intercept related 
information 

If it is not possible to transmit the IRI, they 
shall be buffered by the NWO/AP/SvP. 
Minimum buffer time : 3 days 

4.5.1 

Data transmission protocols (HI2) 

Only FTP shall be used, ROSE shall not be 
used. 

5.1.2.1 

Network Identifier (NID) 

The NID consists of the Operator ID and 
Network Element Identifier (NEID). 

The Operator ID consists of up to 5 
characters ; the nomenclature is defined and 
updated by the LEA. 

The NEID is 1-25 characters long, as defined 
in [1] and shall be set by the NWO/AP/SvP. 

5.1.5 

Use of identifiers 

As option A (5.4.4.1) has been specified in 
5.4.4, the rules according to table 5.1, left 
side, apply. 

5.2.2.1 

Control information for HI2, item 5 

Date and time shall be transmitted as Local 
Time. 

5.2.3 

HI2 (delivery of IRI) 

Redundant information shall be sent for each 
further event. 

5.3.1 

Delivery of Content of Communication 
(CC) 

Use of UUS1 has been specified. In order to 
enable sub-addressing as fall-back, the LI ID 
for circuit-switched intercepts shall solely be 
implemented by number (LIID is set by the 
LEA). 

5.3.3 

Security requirements at the interface 
port of HI3 

ISDN transmission: An ISDN CUG (Closed 
User Group) shall be formed as specified by 
the LEA. 

5.4.4.0 

Multi party calls - general principles, 
options A, B 

Option A shall be used. 

5.5.4.1 

Explicit call transfer, CC link 

Option 2 has been specified. 

5.5.15 

User-to-User signalling (UUS) 

Transmission via HI2 has been specified. 

6.2.1 

7.2.1 

8.2.1 

9.2.1 

10.2.1 

11.2.1 

12.2 

13.1.2.1 

Timing 

If IRI cannot be transmitted, they shall be 
buffered by the NWO/AP/SvP. 

Minimum buffer time : 3 days 
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Re Section 

Reference / Description 

National provision / Extension 

14.2.3.1 



6.2.1 

7.2.1 

10.2.1 

Precision of timestamps 

The timestamps shall have a precision of at 
least 1 millisecond. 

6.3 

7.3 

8.3 

9.3 

10.3 

11.3 

12.3 

13.1.3 

14.2.4.1 

Security aspects 

IP-based transmission : A VPN including 
IPSec encryption will be set up between 
the NWO/AP/SvPs obligated to provide for 
intercepts and the LEAs, refer to A.4 of this 
document. 

6.4 

7.4 

8.4 

9.4 

10.4 

11.4 

12.4 

13.1.4 

14.2.5.1 

Quantitative aspects 

The following figures can be used as a basis 
for dimensioning the technical equipment 
installed at the NWO/AP/SvPs : 

• 50 targets for the first 10000 subscribers 

• an additional 20 targets for each further 
10000 subscribers started 

(e.g. : NWO with 76000 subscribers shall be able to set 
up at least 50+7*20= 190 targets) 

6.5.0 

UMTS data events 

The event “start of interception with mobile 
station attached” mentioned in Table 6.1 shall 
generate a Report IRI. 

6.5.1.1 

REPORT record information 

All events marked as national option or 
as dependent on national regulations shall 
generate a Report IRI. 

6.6 

IRI reporting for packet domain at GGSN 

This option does not need to be implemented 
in Luxembourg. 

6.7 

Content of Communication interception 
for packet domain at GGSN 

The option has been chosen. All target traffic 
available at the interception node shall be 
routed to the LEA. 

7.5.0 

Location Information 

Location information shall be provided except 
it is explicitly prohibited by the warrant. 

12.5 

IRI for IMS-based VoIP 

The national option has been chosen, LEMF 
shall be informed about the unavailability of 
CC. 


Re [2], Annex A HI2 delivery mechanisms and procedures 


Re Section 

Reference / Description 

National provision / Extension 

A 

ROSE or FTP 

Only FTP shall be used, ROSE shall not be 



used. 

A.2.2 

Use of FTP 

Method B shall be used. 

A.2.2 

Use of FTP 

The following triggers have been specified : 



send timeout = 10s 
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volume trigger = 10MByte 


Re [2], Annex C UMTS and EPS HI3 interface 


Re Section 

Reference / Description 

National provision / Extension 

C 

UMTS and EPS HI3 interfaces ; methods 
of transmission 

Only ULICvl via TCP stream shall be used. 

C.2.2 

Use of FTP 

Method B shall be used. 


Re [2], Annex J Use of subaddress and calling party number... 


Re Section 

Reference / Description 

National provision / Extension 

J .2.3.2 

Field order and layout 

To distinguish between "old" transmission 
and transmission in accordance with this 
specification, the octets 16-23 are allocated 
as follows : 

If ‘old’ transmission : no entry 

If transmitting according to this specification : 
"Xa.bb.cc" 

X : E for ETSI 

a : main version TS 101 671 

bb : technical version 

cc : editorial version 

(Example : E3.14.01 forTS 101 671 V3.14.1) 


Re [2], Annex O LALS (Lawful Access Location Services) 


Re Section 

Reference / Description 

National provision / Extension 

O 

LALS 

NWO/AP/SvPs shall inform LEA if LALS is 
supported in NWO/AP/SvPs’s network. 

In this case, LALS shall be activated for 
specific targets upon LEA’s request. 

The required parameters will be defined by 
the LEA. 


Re [2], Annex B Structure of data at the handover interface 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1 - 
Reference 

Reference / Description 

National provision / Extension 

04022.49 (2) 

Eps-HI3-PS 

To avoid any doubt : The timestamp 
parameter in the ULIC header shall be 
provided. 
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Re [3] (TS 102 232-1) 

The options that can be chosen in each country and amendments to [3] are listed in this chapter. 


Re [3], General section 


Re Section 

Reference / Description 

National provision / Extension 

5.2.3 

Authorization country code 

Specified as "LU". 

5.2.4 

Communication identifier 

The Operator ID consists of up to 5 
characters ; the nomenclature is defined and 
updated by the LEA. 

5.2.6 

Payload timestamp 

Re Note 2 : The ASN.1 MicroSecond- 
TimeStamp should be used. 

Re Note 3 : The timeStampQualifier shall be 
set. 

6.2.3 

Aggregation of payloads 

Combined transmission of IP packets is 
authorised, but shall not delay transmission 
for more than 2 seconds. 

6.2.4 

Sending a large block of application-level 
data 

Segmentation is not used. 

6.2.5 

Padding data 

Padding is not used. 

6.2.6 

Payload Encryption 

Payload encryption is not used. 

6.3.1 

General 

TCP/IP socket connections are used. 

6.3.2 

Opening and closing connections 

The NWO/AP/SvP shall make 3 connection 
attempts at an interval of 10 seconds. 

The socket connection shall be closed by the 
NWO/AP/SvP after 2 minutes of inactivity. 

6.3.4 

Keep-alives 

Using Keep-alives may be used if desired, 
but use shall be agreed between NWO/ 
AP/SvP and LEA. The preferred method is 
to close the connection after 2 minutes of 
inactivity according to 6.3.2. 

If the LEA requests Keep-alives, the function 
shall be implemented. 

6.3.5 

Option negotiation 

Option negotiation is currently not used, but 
maybe implemented on LEAs request at a 
later stage. 

6.4.2 

TCP Settings 

The port numbers to be used will be 
specified by the LEA. 

6.4.3 

Acknowledging data 

Option 1 is chosen. 

7.2 

Security requirements 

IP-based transmission : A VPN including 
IPSec encryption shall be set up between the 
NWO/AP/SvPs and the LEAs; refer to A.4. 

7.2.3 

Integrity 

NWO/AP/SvPs shall inform LEA if periodic 
integrity checks are supported in NWO/AP/ 
SvPs's network. In this case, this shall be 
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activated upon LEA's request. The required 
parameters will be defined by the LEA. 


Re [3], Annex D IRI by post and pre-processing HI3 information 


Re Section 

Reference / Description 

National provision / Extension 

D.4 

IRI by post and pre-processing HI3 
information 

Pre-processing at LEMF to generate IRI is 
not considered, the IRI shall be generated by 
post-processing at CSP’s domain. 


Re [3], Annex F Traffic management of the handover interface 


Re Section 

Reference / Description 

National provision / Extension 

F.4 

National considerations 

Filtering at the mediation function should be 
implemented upon request by the LEA. 

F.5.2 

Maximum buffering time 

To protect against loss of data due to 
equipment or network problems, the buffering 
time shall be 5 minutes taking into account 
the maximum bandwidth at the network 
interface of the delivery function. 


Supplements to [3], Annex A ASN.1 syntax trees 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 

Reference 

Reference / Description 

National Provision / Extension 

04022.51 (3) 

General 

The provisions in [3] remain unchanged. 
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Re [4] (TS 102 232-2) 


Re [4], General Section 


Re Section 

Reference / Description 

National provision / Extension 

4.2 

Unified messaging 

Handover of intercepted e-mail shall 
be according to EmailCC and EmaillRI 
structures. 

7 

E-mail attributes 

All attributes mentioned in 7.1 to 7.10 shall 
be set. 


Supplements to [4], Annex D Messaging ASN.1 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 

Reference 

Reference / Description 

National Provision / Extension 

04022.52 (4) 

General 

The provisions in [4] remain unchanged. 
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Re [5] (TS 102 232-3) 


Re [5], General Section 


Re Section 

Reference / Description 

National provision / Extension 

6.2.2 

Use of location field 

The location parameter shall be set. 


Supplements to [5], 8 ASN.1 for IRI and CC 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 

Reference 

Reference / Description 

National Provision / Extension 

04022.53 <5) 

General 

The provisions in [5] remain unchanged. 
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Re [6] (TS 102 232-4) 

Re [6], General Section 

The provisions in the specified documents remain unchanged. 

Supplements to [6], 8 ASN.1 for IRI and CC 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 

Reference 

Reference / Description 

National Provision / Extension 

04022.54 (6) 

General 

The provisions in [6] remain unchanged. 
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Re [7] (TS 102 232-5) 


Re [7], General Section 


Re Section 

Reference / Description 

National provision / Extension 

5.2.3 

Location information 

The location information shall be reported. 

5.6 

Direction for IMS IRI for Signalling 
Messages 

The payloadDirection parameter shall be 
used. 

5.7.1 

Direction for SIP sessions 

The sessionDirection parameter shall be 
used. 


Supplements to [7], 7 ASN.1 specification for IRI and CC 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 
Reference 

Reference / Description 

National Provision / Extension 

04022.55 (7) 

General 

The provisions in [7] remain unchanged. 
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Re [8] (TS 102 232-6) 

Re [8], General Section 

REMARK : If the NWO/AP/SvP’s equipment supports delivery of CC via dedicated ISDN channels as 

described and defined in [1], this method shall be used for PSTN/ISDN services described 
inTS 102 232-6 as well. 

If delivery of CC via dedicated ISDN channels is not supported by the NWO/AP/SvP’s 
equipment, the CC delivered via RTP according to [8] shall be coded in G.711. 


Re Section 

Reference / Description 

National provision / Extension 

6.3.2 

Supplementary information 

All fields mentioned in the table shall be set. 


Supplements to [8], Annex A ASN.1 for IRI and CC 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 


ASN.1- 

Reference 

Reference / Description 

National Provision / Extension 

04022.56 <8) 

General 

The provisions in [8] remain unchanged. 
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Re [9] (TS 102 232 - 7) 

Re [9] ; General Section 

The provisions in the specified documents remain unchanged. 

Supplements to [9] ; Annex A ASN.1 for IRI and CC 

Clarification : Any parameter described in the ASN.1 notation, even if marked as OPTIONAL in the ETSI TS, 
SHALL be transmitted, insofar it exists with regard to the respective message. 
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Technical Provisions 

ISDN-based transmission 


Routing of CC (Content of Communication) is via ISDN dial-up lines using Euro ISDN (E-DSS1). An ISDN 
CUG (Closed User Group) between the NWO/AP/SvP and the LEA shall be set up. 


IP-based transmission 


IP-based transmission takes place over a VPN. Provision, configuration and operation of the VPN 
components are the responsibility of the LEA. 

The following components shall be provided by the NWO/AP/SvP : 

• Transparent Internet access to each LEA : 

Internet access shall be sized adequately, shall have static, official IP addresses and shall have maximum 
availability with regard to the infrastructure of the NWO/AP/SvP. 

Internet access needs to be planned and implemented in parallel if required by the LEA for introduction 
of redundancy. In this case, both Internet accesses should be planned as independently as possible 
from one another, taking the infrastructure at the NWO/AP/SvP into account (e.g. separate physical entry 
points, routing, autonomous network components, independent peering points). 

• Infrastructure at the handover point: 

The following components are to be supplied by the NWO/AP/SvP : 
o exclusive 19" rack, with lock 

o 2 X 230 VAC, 16 amp. power supply (connected to UPS) 
o waste heat dissipation capacity for the rack : minimum 2kW 
o installation in IT server room 

o transparent Internet access/Internet access terminates in this 19" rack (Ethernet interface) 
o handover from the provider’s network takes place in this 19" rack (Ethernet interface) 





VPN-tunnel 1 and 2* 



under NWO/AP/ ! under LEA's ! IP-connectivity towards LEA under 

SvP's responsibility ; responsibility • NWO/AP/SvP’s responsibility 


under LEA's 
responsibility 


* second Internet access upon request by the LEA 
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Annex A : National HI2-ASN.1 parameters 

Additions to HI2-Operations 

{itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawfullntercept(2) hi2(1) version18(18)} 

DEFINITIONS IMPLICIT TAGS ::= 

BEGIN 

IMPORTS 

Natparas FROM NatParameter; 

IRI-Parameters ::= SEQUENCE 

{ 

domainID [0] OBJECT IDENTIFIER (hi20perationld) OPTIONAL, 

-- for the sending entity the inclusion of the Object Identifier is mandatory 

national-HI2-ASN1 parameters[255] National-HI2-ASN1 parameters OPTIONAL 

} 

National-HI2-ASN1 parameters SEQUENCE 

{ 

countryCode [1] PrintableString (SIZE (2)), 

-- Country Code (LU for Luxembourg) according to ISO 3166-1, 

-- the country to which the parameters inserted after the extension marker apply. 

-- In case a given country wants to use additional national parameters according to 
-- its law, these national parameters should be defined using the ASN.1 syntax and 
-- added after the extension marker (...). 

-- It is recommended that "version parameter" and "vendor identification parameter" 

-- are included in the national parameters definition. Vendor identifications can be 
-- retrieved from the IANA web site (see annex H). In addition, avoiding the use 
-- of tags from 240 to 255 is recommended in a formal type definition, 
natparas [2] Natparas, 

-- Import from national specifications for Luxembourg, Annex A 

} 

END -- HI20perations 
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NatParameter 


-- National parameter 
-- Content defined by national law 

-- Version of this ASN.1 specification of the national parameters : T 
-- To be inserted into the parameter "specificationVersion" 

-- The coding of all text fields shall be according to CODEPAGE 1252 

NatParameter 


DEFINITIONS IMPLICIT TAGS ::= 
BEGIN 


Natparas SEQUENCE 

{ 

natVersion [1] SEQUENCE 

{ 

Version [1] INTEGER(0..255) 

}. 

locationDetails [2] LocationDetails OPTIONAL 


} 


**************************** 


********************** 


LocationDetails ::= SEQUENCE 


{ 

radius [0] INTEGER(0..2147483647) OPTIONAL, 

-- radius of a cell in metres 

radiationDirection [1] INTEGER(0..359) OPTIONAL, 

-- radiation direction of the main beam of a cell in degrees relative to true north 

deflectionAngle [2] INTEGER(0..360) OPTIONAL, 

-- deflection angle of the cell in degrees 

field Intensity [3] INTEGER(-200..0) OPTIONAL, 

--field intensity of the mobile phone in [dbm] 

remark [4] PrintableString (SIZE (256)) OPTIONAL 

-- free text for additional information 

-- (e.g. "antenna position main station, building 16") 

} 

**************************** pgpgr end ********************** 


END 
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Specification for active interception 
General Requirements 

In accordance with the relevant domestic laws, a NWO/AP/SvP shall support the integration of active 
interception equipment into its network upon request by the LEA. 

The active interception equipment will be provided and operated by the LEA responsible. 

Depending on the case and the nature of the active interception, the point and type of integration into the 
NWO/AP/SvP’s network and the level of required support may vary. 

Prior to the integration, the LEA responsible will communicate the detailed requirements to the NWO/AP/SvP. 

Technical Provisions 

The required technical provisions will be announced by the LEA on a case-by-case basis. The general 
infrastructural requirements will be the same as described in chapter A.4.2 of this document. 


(1) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawfullntercept(2) hi2(1) version18(18)} 

(2) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawfulintercept(2) threeGPP(4) hi3eps(9) rl 2(12) version-O(O)} 

(3) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawful I ntercept(2) li-ps(5) genHeader(1) version24(24)} 

(4) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawfullntercept(2) li-ps(5) email(2) version 16(16)} 

(5) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawful I ntercept(2) li-ps(5) iPAccess(3) version 11 (11)} 

(6) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawful I ntercept(2) li-ps(5) l2Access(4) version7(7)} 

(7) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawful I ntercept(2) li-ps(5) iPMultimedia(5) version8(8)} 

(8) {itu-t(O) identified-organization(4) etsi(0) securityDomain(2) lawfullntercept(2) li-ps(5) pstnlsdn(6) version5(5)} 
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